https://adicpnn.com/tags/iam/Recent content in Iam on security ?!Hugoen-usThu, 12 Mar 2026 00:00:00 +0000https://adicpnn.com/blog/cloudfoxable/backwards/Thu, 12 Mar 2026 00:00:00 +0000https://adicpnn.com/blog/cloudfoxable/backwards/<!-- raw HTML omitted --> <p>In some challenges, you might not see an IAM role or an IP address as the starting point, but rather, an interesting ARN or something like that.</p> <p>Sometimes during cloud penetration tests, we first find something interesting and then work backwards to see who has access to it. Is it just the Administrators? Well, that&rsquo;s not really a big deal. Is it all developers, or all users, or anyone in the world? That might be a really big deal!</p>https://adicpnn.com/blog/cloudfoxable/pain/Thu, 12 Mar 2026 00:00:00 +0000https://adicpnn.com/blog/cloudfoxable/pain/<!-- raw HTML omitted --> <p>In the 2022 FIFA World Cup, Christian Pulisic put his body on the line to net a crucial goal for the USA, ensuring their progression beyond the group stage: <a href="https://www.youtube.com/watch?v=Y7VA30UYlQo">https://www.youtube.com/watch?v=Y7VA30UYlQo</a>. He did what he had to do, even though he knew it was going to hurt.</p> <p>Similarly, during a penetration test, whether in a cloud environment or otherwise, you might identify a exploit path that won&rsquo;t be pleasant to exploit, but you know the end result will be worth it.</p>https://adicpnn.com/blog/cloudfoxable/root/Thu, 12 Mar 2026 00:00:00 +0000https://adicpnn.com/blog/cloudfoxable/root/<!-- raw HTML omitted --> <p>You&rsquo;ve just gained access to the role Kent. Can you get to the root flag in the SSM parameter store?</p> <!-- raw HTML omitted --> <h3 id="information-gathering">Information Gathering</h3> <p>Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">adicpnn@laboratory cloud % cat ~/.aws/config<span class="p">|</span> tail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>profile kent<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">region</span> <span class="o">=</span> eu-central-1 </span></span><span class="line"><span class="cl"><span class="nv">role_arn</span> <span class="o">=</span> arn:aws:iam::129323993607:role/Kent </span></span><span class="line"><span class="cl"><span class="nv">source_profile</span> <span class="o">=</span> cloudfoxable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Kent --profile cloudfoxable </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;AttachedPolicies&#34;</span>: <span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;PolicyName&#34;</span>: <span class="s2">&#34;root-policy1&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;PolicyArn&#34;</span>: <span class="s2">&#34;arn:aws:iam::129323993607:policy/root-policy1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>A single policy attached, let&rsquo;s see what type of access it grants.</p>https://adicpnn.com/blog/cloudfoxable/segue/Thu, 12 Mar 2026 00:00:00 +0000https://adicpnn.com/blog/cloudfoxable/segue/<!-- raw HTML omitted --> <p>You&rsquo;ve just gained access to the reinier role. Utilize cloudfox and see where it takes you!</p> <!-- raw HTML omitted --> <h3 id="information-gathering">Information Gathering</h3> <p>First things first, set up the profile, and test access.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">adicpnn@laboratory cloud % cat ~/.aws/config <span class="p">|</span> tail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>profile reinier<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">region</span> <span class="o">=</span> eu-central-1 </span></span><span class="line"><span class="cl"><span class="nv">role_arn</span> <span class="o">=</span> arn:aws:iam::129323993607:role/reinier </span></span><span class="line"><span class="cl"><span class="nv">source_profile</span> <span class="o">=</span> cloudfoxable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">adicpnn@laboratory cloud % aws sts get-caller-identity --profile reinier </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserId&#34;</span>: <span class="s2">&#34;AROAR4HCPRIDTDEJTABUR:botocore-session-1773311810&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Account&#34;</span>: <span class="s2">&#34;129323993607&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Arn&#34;</span>: <span class="s2">&#34;arn:aws:sts::129323993607:assumed-role/reinier/botocore-session-1773311810&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Then, enumerating attached policies.</p>